1. Field of the Invention
This invention relates generally to a system and method for preventing an old vulnerable version of a software file to be flashed in a controller and, more particularly, to a system and method for preventing an old vulnerable version of a software file to be flashed in a vehicle electronic control unit (ECU) that includes updating a security code each time a new software file is released to correct a security vulnerability.
2. Discussion of the Related Art
Most modern vehicles include electronic control units (ECUs), or controllers, that control the operation of vehicle systems, such as the powertrain, climate control system, infotainment system, body systems, chassis systems, and others. Such controllers require special purpose-designed software in order to perform the control functions. With the increasing number and complexity of these controllers, and the growing threat posed by developers of malicious software, it is more important than ever to authenticate the source and content of binary files that are loaded on automotive controllers. The consequences of using software that is not properly validated, or worse, maliciously-designed, in a vehicle controller include unintended behavior of the vehicle or its systems, loss of anti-theft features on the vehicle, potential tampering with components such as the odometer, and loss of other vehicle features and functions.
One known digital coding technique is referred to as asymmetric key cryptography that uses digital signatures for authenticating files that are programmed into controllers. As would be well understood by those skilled in the art, asymmetric key cryptography uses a pair of mathematically-related keys, known as a private key and a public key, to encrypt and decrypt a message. To create a digital signature, a signer uses his private key, which is known only to himself, to encrypt a message. The digital signature can later be decrypted by another party using the public key, which is paired to the signer's private key.
Flashing is a well known process for uploading software, calibration files and other applications into a flash memory of a vehicle ECU or other programmable device. A bootloader is an embedded software program loaded on the ECU that provides an interface between the ECU and a programming device that is flashing the software. The bootloader may employ asymmetric key cryptography and store a public key that must be used to decode the digital signature transferred by the programming device before allowing the ECU to execute the software or calibration.
The file header associated with a software file typically includes information about the file and information relating to the code that follows that header including module ID, compatibility ID, signature, address ranges, etc. Once a software file has been released, properly flashed and is operating in an ECU, it may be discovered that the software file has some security vulnerability where a potential hacker could maliciously gain access to the ECU through the vulnerability. When such security vulnerability is identified, the vehicle manufacturer may revise the software file so that security vulnerability is eliminated. The new software file will then be flashed into the ECU to replace the vulnerable software programmed into the ECU memory. However, the ECU may still be vulnerable because a potential hacker having the vulnerable old version of the software file with the proper authentic signature could load that software file back onto the ECU, and then exploit the security vulnerability. In other words, if an ECU has been flashed with a revised software file that corrects a security vulnerability, a potential hacker may gain access to an older version of the software file that has been properly signed, but includes the security vulnerability, load that software file back onto the ECU and then exploit the security vulnerability.